This was fixed in PR #37 but the PR was closed without merging. The fix was never applied to main.
src/CertManager.sol lines 581-584 still have wrong offsets:
ca := mload(add(packed, 0x1)) // should be 0x0
notAfter := mload(add(packed, 0x9)) // should be 0x1
maxPathLen := mload(add(packed, 0x11)) // should be 0x9
subjectHash := mload(add(packed, 0x31)) // should be 0x11
abi.encodePacked layout: ca(1) || notAfter(8) || maxPathLen(8) || subjectHash(32) || pubKey(48)
The warm cache path calls _loadVerified for every previously verified cert. With wrong offsets, cached certs return garbage values for ca, notAfter, maxPathLen and subjectHash. This affects the NitroValidator flow via verifyCachedCertBundle.
Fix diff in PR #37: #37
This was fixed in PR #37 but the PR was closed without merging. The fix was never applied to main.
src/CertManager.sollines 581-584 still have wrong offsets:abi.encodePackedlayout: ca(1) || notAfter(8) || maxPathLen(8) || subjectHash(32) || pubKey(48)The warm cache path calls
_loadVerifiedfor every previously verified cert. With wrong offsets, cached certs return garbage values for ca, notAfter, maxPathLen and subjectHash. This affects the NitroValidator flow viaverifyCachedCertBundle.Fix diff in PR #37: #37